An Android app that allows users to find Wi-Fi hotspots leaked password details of more than 2 million Wi-Fi routers in plain text, according to security researchers.

The WiFi Finder app, with more than 100,000 downloads on Google Play, not only helps users to locate Wi-Fi hotspots but also supplies username and passwords for Wi-Fi hotspots, and that’s where the security issue has come about, according to a report by TechCrunch. The researchers found that the database storing the usernames and passwords used to connect to the Wi-Fi hotspots sat on a server “exposed and unprotected.”

“The exposed data didn’t include contact information for any of the Wi-Fi network owners, but the geolocation of each Wi-Fi network correlated on a map often included networks in wholly residential areas or where no discernible businesses exist,” the report noted. The company behind the app, Chinese company DigitalOcean, was initially contacted with no response but has since taken the database down.

Monique Becenti, product and channel specialist at the website security firm SiteLock LLC, told SiliconANGLE that the problem with exposing the login details is that the database included information from private home networks as well as public ones.

“The app allows users to have unauthorized access to public and private Wi-Fi networks, allowing network owners to offer their Wi-Fi credentials for public connections without prompting them for permission,” Becenti explained. “Users are often more vigilant about their security when using public networks as they are more widely known to be unsecured connections. However, people tend to let down their guard when using their home networks.”

If bad actors access a user’s home network, he added, “they could alter router settings and direct traffic to malicious websites, or even worse, attackers could have the ability to steal sensitive information such as bank logins or credit card data from a residential router.”

Becenti said network owners should think twice about whom they share their residential or business Wi-Fi credentials with. “The risks of widely sharing these passwords highly outweigh the benefits, as users offering their own routers leave their personal traffic and the traffic of the users vulnerable to man-in-middle attacks,” she said.

Tim Mackey, senior technical evangelist at Synopsys Inc., said the exposure may have European Union General Data Protection Regulation consequences.

“One of the key components of GDPR is the concept of consent,” he said. “Under this doctrine, users must consent to the collection of personal data by a provider and the provider must similarly disclose how it will manage and process that data. In the case of the HotSpot finder applications’ collection of WiFi password data, we see a situation where the goal of the application and by extension its user base are at odds with the security of others.”

Image: Google Play